The Technology Differences Between a Web Filter and a Traffic Shaper

First a couple of definitions so we are all on the same page.
A Web Filter is  basically a type of specialized firewall with a configurable list of URLs . Using a Web Filter, a Network Administrator can completely block specific Web sites, or block  complete categories of sites, such as pornography.

A Traffic Shaper , is typically deployed to change the priority of certain kind of traffic.  It is used where blocking traffic completely is not required, or is not an acceptable practice. For example,  the mission of a typical Traffic Shaper might be to  allow users to get into their Face Book accounts , and to limit their bandwidth so as to not overshadow other more important activities.  With a shaper the idea is to limit (shape ) the total amount of data traffic for a given category.

From a technology standpoint, building a Web Filter is a much easier proposition than creating a Traffic Shaper.  This is not to demean the value or effort that goes into creating a good Web Filter. When I say,  “easier”, I mean this from a core technology point of view. Building a good Web Filter product is not so much a technology challenge, but more of a data management issue. A Web Filter worth its salt, must be aware of potentially millions of various Websites that are ever-changing. To manage these  sites , a Web Filter product must be constantly getting updates . The product company supporting the Web Filter must search the Web, constantly indexing new Web sites and their contents, and then passing this information into the Web Filter product. The work is ongoing , but not necessarily daunting in terms of technology prowess.  The actual blocking of a Web site is simply a matter of comparing a requested URL against the list of forbidden Web sites and blocking the request ( dropping the packets).
A Traffic Shaper, on the other hand, has a more daunting task than the Web Filter. This is due to the fact,  that unlike the Web Filter, a Traffic shaper kicks in after the base URL has been loaded.  I’ll walk through a generic scenario to illustrate this point. When a User logs into their face book account, the first URL they hit is a well-known Facebook home page.  Their initial query request coming from their computer to the Facebook home page is easy to spot by the Web Filter, and if you block it at the first step , that is the end of the Face Book session . Now if you say to your Traffic shaper,  “I want you to limit Facebook Traffic to 1 megabit”, then the task gets a bit trickier.  This is because once you are logged into Facebook  page subsequent requests are not that obvious. Suppose a user downloads an image or play a shared video from there Face Book screen. There is likely no context for the traffic shaper to know the URL of the video is actually coming from Face Book.  Yes, to the user it is coming from their Facebook page ,but when they click the link to play the Video, the Traffic shaper only sees the video link, it is not a Face Book URL any longer. On top of that , often times the Face Book page and it’s contents are Encrypted for privacy.
For these reasons a traditional traffic shaper must inspect he packets to see what is inside.  Does it look like Face Book data ?   This is not an exact science, and with the wide spread use of encryption, the ability to identify traffic with accuracy is becoming all but impossible.
The good news is that there are other heuristic ways to shape traffic that gaining traction in the Industry, the bad news is many  end customers continue to struggle with diminishing accuracy of traditional Packet Shapers.
For more in depth information on this subject, feel free to e-mail me at
By Art Reisman

NetEqualizer News: February 2015

February 2015


Enjoy another issue of NetEqualizer News! This month, we introduce an exciting new DDoS protection feature for NetEqualizer, share the results of our recent Holiday Giving Campaign, and preview our NetEqualizer 2015 Tech Seminar. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

Over the period of one week, we were contacted several times from customers asking us if the artNetEqualizer could do something to alleviate an ongoing Distributed Denial of Service (DDoS) attack. It turns out we do have some technology in our arsenal for this event, but it was only art photo for NL available in our NetGladiator product. Purchasing a full blown NetGladiator for a random attack is often not within the scope or budget for many of our customers. So, what if we could move this utility into our standard NetEqualizer base? We could then blanket a wide swath of our customers with DDoS protection as well as enhance the value of their NetEqualizer, and so that is what we have done. Read more about this exciting new offering below!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

Are You Under Attack? NetEqualizer Can Help!

Software Update 8.2 is now available as a limited beta release and includes our new Distributed Denial of Service (DDoS) Monitor at no extra charge! In addition, our new DDoS Firewall tool (DFW) can be purchased as an add-on module for an additional fee.

The DDoS Monitor, which comes standard, shows you some basic metrics on the outside intrusion hit rate into your network. It can be used to spot anomalies which would indicate a likely DDoS attack in progress. See our detailed blog article on the subject for how this technology works. Here is a screenshot of the DDoS Monitor dashboard:


If you decide you need something more proactive to mitigate a DDoS attack, we have a solution for you! For a one time charge of $3,500, which includes one hour of training and consulting, we install our DDoS Firewall (DFW) feature, which can be configured to block standard DDoS attacks.

Also included in Software Release 8.2 is IPv6 Equalizing. We have updated our shaping algorithms to account for both IPv4 and IPv6 traffic. This enables us to provide QoS across a dual stack so that congestion is eased across all of your traffic.

Our recent efforts to include DDoS mitigation functionality and enhanced IPv6 tools were accelerated due to the fact that our customers were facing immediate impacts. We have not forgotten our promise to release RTR enhancements, which are still scheduled for release in the late spring/early summer of 2015.

You can read more about software update 8.2 here. We anticipate that the 8.2 release will be generally available in the March/April 2015 timeframe.

For questions about our DDoS offering, IPv6 shaping enhancements, or anything else, contact us anytime:

Holiday Giving Campaign Results

Thanks to you, our year-end Holiday Giving Campaign was a success! We were able to give sizable monetary donations to three worthy charities in early 2015.

This is really what the holidays are all about, and we thank you for helping us to support these worthy causes:

1) Toys for Tots: The mission for Toys for Tots is to collect new, unwrapped toys during
October, November and December each year, and distribute those toys as Christmas gifts to less fortunate children in the community in which the campaign is conducted.


2) The Hunger Project: The Hunger Project is a global, non-profit, strategic organization committed to the sustainable end of world hunger.


3) Doctors Without Borders: Doctors Without Borders works in nearly 70 countries providing medical aid to those most in need regardless of their race, religion, or political affiliation.


NetEqualizer 2015 Tech Seminars

Are you interested in enhanced on-site training, as well as helping to influence the direction of our next major software release?

We have found over the years that our on-site Tech Seminars become great vehicles for customers to dig deep and derive extra value from their installed NetEqualizer(s).

For example, we have hunted down P2P users during these events, as well as validated security tools and enhanced shaping techniques. It is also a great opportunity for our engineering team to gain insight into the latest needs of our customer base.NetEqualizer Seminars

The obligation of the host is to simply provide a conference room for demo and discussion, and also to allow some live analysis of their network. This is not a sales presentation. If you are interested in hosting, let us know!

This year, we would love to have the opportunity to present in Western Europe if anyone in that part of the world is interested!

Contact us at:

Best Of The Blog

Fourteen Tips to Make Your ISP/WISP More Profitable

By Art Reisman – CTO – APconnections

As the demand for Internet access continues to grow around the world, opportunities for service providers are emerging in markets far and wide. Yet, simply offering Internet service, even in untapped areas, does not guarantee long-term success. Just as quickly as your customer-base grows, the challenges facing ISPs and WISPs begin to emerge.

From competition to unhappy customers, the business venture that once seemed certain to succeed can quickly test the will of even the most battle-hardened and tech savvy business owners. However, there are ways to make the road to profitability a little smoother…

Photo Of The Month
Aerial Photography from Remote Control Drone
Small remote control drones with cameras are becoming very popular in the United States. This particular shot was taken by a member of our staff in New Smyrna Beach, Florida. It is looking south toward Cape Canaveral.

Firewall Recipe for DDoS Attack Prevention and Mitigation

Although you cannot “technically” stop a DDoS attack, there are ways to detect and automatically mitigate the  debilitating  effects on your public facing servers.  Below, we shed some light on how to accomplish this without spending hundreds of thousands of dollars on a full service security solution that may be overkill for this situation.

Most of the damage done by a targeted DDoS attack is the result of the overhead incurred on your servers from large volume of  fake inquiries into your network. Often with these attacks, it is not the volume of raw bandwidth  that is the issue, but the reduced the slow response time due to the overhead on your servers.   For a detailed discussion of how a DDoS attack is initiated please visit zombie-computer-3d

We assume in our recipe below, that you have some sort of firewall device on your edge that can actually count hits into your network from an outside IP, and also that you can program this device to take blocking action automatically.

Note: We provide this type of service with our NetGladiator line.  As of our 8.2 software update, we also provide this in our NetEqualizer line of products.

Step 1
Calculate your base-line incoming activity.  This should be a running average of unique hits per minute or perhaps per second. The important thing is that you have an idea of what is normal. Remember we are only concerned with Un-initiated hits into your network, meaning outside clients that contact you without being contacted first.

Step 2
Once you have your base hit rate of incoming queries, then set a flag to take action ( step 3 below), should this hit rate exceed more than 1.5 standard deviations above your base line.  In other words if your hit rate jumps by statistically large amount compared to your base line for no apparent reason i.e .you did not mail out a newsletter.

Step 3
You are at step 3 because you have noticed a much larger than average hit rate of un-initiated requested into your web site. Now you need to look for a hit count by external IP. We assume that the average human will only generate at most a hit every 10 seconds or so, maybe higher. And also on average they will like not generate more than 5 or 6 hits over a period of a few minutes.  Where as a hijacked client attacking your site as part of a DDOS attack is likely to hit you at a much higher rate.  Identify these incoming IP’s and go to Step 4.

Step 4
Block these IP’s on your firewall for a period of 24 hours. You don’t want to block them permanently because it is likely they are just hijacked clients ,and also if they are coming from behind a Nat’d community ( like a University) you will be blocking a larger number of users who had nothing to do with the attack.

If you follow these steps you should have a nice pro-active watch-dog on your firewall to mitigate the effects of any DDoS attack.

For further consulting on DDoS or other security related issues feel free to contact us at

NetEqualizer News: January 2015

January 2015


Enjoy another issue of NetEqualizer News! This month, we highlight leasing a NetEqualizer with NO contract, discuss our new IPv6 shaping process, share a recent case study, and preview our 2015 price adjustments. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

As we kick off 2015, I am knee-deep once again in architecting solutions, which many of you know is what I love to do most! It feels good to start 2015 following my passion – I hope you are committing or re-committing to spend time doing those things that you love most. art

Speaking of architecture, this month I share with you the upcoming IPv6 Release (8.1v6) design. I also am excited to include our latest Case Study; we have captured Lutheran Health Network’s experience with the NetEqualizer. This large-scale NetEqualizer implementation is a great read, particularly for customers with multiple sites using varying bandwidths. And finally, we give you a preview of 2015 pricing. Some good news here – we have reduced prices on two license levels!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

The Joy of Leasing

In 2015, we are continuing our popular no-contract, monthly Leasing Program.

This program works best for several types of customers:leasing

1) Customers who need to align monthly expenditures with a monthly revenue stream.

2) Customers with limited budgets that need to reduce their upfront costs.

3) Customers who would like user-based pricing.

Why is leasing a NetEqualizer joyful? We think that our leasing program is superior to what you would find through a typical 3rd party lessor. We keep the process simple, and make it easy for you to participate. In fact, we started this program because we were tired of the long drawn-out process full of tons of paperwork, signatures, and waiting, while trying to work with lessors on behalf of our customers. We decided that we could do this better, and we think we have!

We have found this model popular, as customers can immediately get the benefits of a full-featured NetEqualizer without committing to a large upfront expenditure. And, there is no long-term commitment; if your needs change in the future, you can exit or modify your Lease Program as needed.

This model works well for businesses that would like to align their shaping costs with the number of users they have on their network, rather than the size of their network pipe. In smaller businesses, this enables customers to better align their costs with their actual potential revenue stream rather than their network size.

In the past several years, we have seen Schools, Business Centers and Internet Service Providers participate in our Monthly Leasing Program.

If this sounds of interest to you, call us to discuss or check out our Leasing Program to see if it meets your needs!

Please note that the NetEqualizer Leasing Program is currently only available to customers in the United States and Canada.

Architecting the IPv6 Release (8.1v6)

We have word from a few customers running dual stacks that they do have enough IPv6 traffic that it needs to be addressed in the NetEqualizer shaper, especially during peak traffic times.

Now that IPv6 is becoming a reality in many networks, I am focusing my efforts on architecting our solution, which I share here:

We realized early on in our design choices that a customer running a dual stack may have two addressing schemes, but they still have one bandwidth link to shape as a whole. In other words, all the shaping decisions will be based on the total bandwidth across both sets of addresses, and not a separate decision for IPv6 and IPv4.

With that decision, the easiest way to accomplish this for reporting and shaping was to trick the IPv6 traffic into an IPv4 format, which is what we are going to do.

We examined real IPv6 traffic on a live network, and as expected the upper bytes in the address rarely, if ever, change. So by taking the lower 24 bits of the IPv6 address and mapping that into a locally unique IPv4 address, we can show and shape all the traffic in one table.

We will have Beta versions of 8.1v6 ready to run in late February. At that time we will also have examples and documentation on how to track and shape your IPv6 traffic on the NetEqualizer.

Stay tuned here to learn more about our IPv6 Release this Spring! And if you have any thoughts or input on IPv6 that you would like to share, shoot me an email at

Case Study: Lutheran Health Networkcasestudy

Recently we received feedback from Lutheran Health Network (LHN) on how their NetEqualizer’s have helped to optimize their network infrastructure. It was so much great information that we captured it as a Case Study to share with you.

Jason Whiteaker, a Senior Network Engineer at LHN, describes their environment, what challenges they faced, solutions considered, and the great results they have had with the NetEqualizer in place. Read the full Case Study here to see how the NetEqualizer has been a technical and political “win-win” for the network team.

This Case Study demonstrates how the NetEqualizer works well in hub and spoke environments. To read more about how effective the NetEqualizer is at hub and spoke shaping, check out our blog article on the subject.

2015 NetEqualizer Pricing Preview

As promised in last month’s newsletter, all newsletter readers can now get an advance peek of our 2015 NetEqualizer Pricing! For a limited time, you can now preview of our 2015 Pricing here without registration. You can also view the Data Sheets for each model once in the 2015 Price List.

Our 2015 Pricing will be effective February 1st, 2015.

Key changes for 2015:

– Due to popular demand, we are adding two license levels to the NE3000 series: 500Mbps and 750 Mbps.
– Exciting news for folks looking at 100 or 150Mbps licenses. We have reduced prices on the 100Mbps and 150Mbps license levels, to better align our pricing model.
– And finally, as we are seeing more customers moving to higher bandwidth levels, we have decided to no longer offer the 10Mbps license in 2015.

If you are interested in user-based pricing, we are continuing to offer our Monthly Lease Program in 2015. You can read more about that in The Joy of Leasing in this month’s newsletter.

We will be using 2014 pricing through January, and all current quotes using the pricing will be honored for 90 days from the date the quote was originally given. However, if you have an outstanding quote on a 100 or 150Mbps unit, we will be happy to update it for you to use the new lower pricing.

We also continue to offer license upgrades on our newer NE2000’s. Remember that if you have a NE2000 purchased on or after August 2011, it is eligible for license upgrades and support. If you have an older NE2000, please contact us to discuss a trade-in.

If you have questions on pricing, feel free to contact us at:

Best Of The Blog

How Does Your ISP Actually Enforce Your Internet Speed?

By Art Reisman – CTO – APconnections

Have you ever wondered how your ISP manages to control the speed of your connection? If so, you might find the following article enlightening. Below, we’ll discuss the various trade-offs used to control and break out bandwidth rate limits and the associated side effects of using those techniques…

Photo Of The Month
Roseate Spoonbill from Merritt Island National Seashore
The best thing NASA did besides going to the moon was preserving miles and miles of shoreline on the east coast of Florida near Cape Canaveral. The Merritt Island bird loop is better than the wild animal safari you can take over at Disneyland, alligators and exotic birds like you have never seen before.

Changing times, Five Points to Consider When Trying to Shape Internet Traffic

By Art Reisman, CTO, APconnections

1 ) Traditional Layer 7 traffic shaper methods are NOT able to identify encrypted traffic. In fact, short of an NSA back door, built into some encryption schemes, traditional Layer 7 traffic shapers are slowly becoming obsolete as the percentage of encrypted traffic expands.
2 ) As of 2014, it was estimated that up to 6 percent of the traffic on the Internet is encrypted, and this is expected to double in the next year or so.
3) It is possible to identify the source and destination of traffic even on encrypted streams. The sending and receiving IP’s of encrypted traffic are never encrypted, hence large content providers, such as Facebook, YouTube, and Netflix may be identified by their IP address, but there some major caveats.

– it is common for the actual content from major content providers to be served from regional servers under different domain names (they are often registered to third parties). Simply trying to identify traffic content from its originating domain is too simplistic.

– I have been able to trace proxied traffic back to its originating domain with accuracy by first doing some experiments. I start by initiating a download from a known source, such as YouTube or Netflix, and then I can figure out the actual IP address of the proxy that the download is coming from. From this, I then know that this particular IP is most likely the source of any subsequent YouTube. The shortfall with relying on this technique is that IP addresses change regionally, and there are many of them. You cannot assume what was true today will be true tomorrow with respect to any proxy domain serving up content. Think of the domains used for content like a leased food cart that changes menus each week.

4) Some traffic can be identified by behavior, even when it is encrypted. For example, the footprint of a single computer with a large connection count can usually be narrowed down to one of two things. It is usually either BitTorrent, or some kind of virus on a local computer. BitTorrents tend to open many small connections and hold them open for long periods of time. But again there are caveats. Legit BitTorrent providers such as Universities distributing public material will use just a few connections to accomplish the data transfer. Whereas consumer grade BitTorrents, often used for illegal file sharing, may use 100’s of connections to move a file.

5)  I have been alerted to solutions that require organizations to retrofit all endpoints with pre-encryption utilities, thus allowing the traffic shaper to receive data before it is encrypted.  I am not privy to the mechanics on how this is implemented, but I would assume outside of very tightly controlled networks, such a method would be a big imposition on users.

Net Neutrality must be preserved

As much as I hate to admit it , it seems a few of our Republican congressional leaders are “all in”, on allowing large content providers privileged priority access on the Internet. Their goal for the 2015 congress is to thwart the President and his Mandate to the FCC on net neutrality. Can you imagine going to visit Yosemite National park and being told that the corporations that sponsor the park  have taken all the campsites ? Or a special lane on the Interstate dedicated exclusively for Walmart Trucks ?  Like our highway system, and National parks, the Internet is a resource shared by all Americans. I think one of the criteria for being a politician is  a certification that you flunked any class in college that involved critical or objective thinking, for example, this statement from  Rep Marsha Blackburn

“Federal control of the internet will restrict our online freedom and leave Americans facing the same horrors that they have experienced with,”

She might as well compare the Internet to the Macy’s parade, it would make about as much sense; the Internet is a common shared utility similar to electricity and roads, and besides that, it was the Government that invented and funded most of the original Internet. The  healthcare system is complex and flawed because it is a socialistic re-distribution of wealth, not even remotely similar to the Internet.  The internet  needs very simple regulation to prevent abuse,  this is about the only thing the government designed to do effectively. And then  there is this stifle innovation argument…

Rep. Bob Goodlatte, chair of the House Judiciary Committee, said he may seek legislation that would aim to undermine the “FCC’s net neutrality authority by shifting it to antitrust enforcers,” Politico wrote.

Calling any such net neutrality rules a drag on innovation and competition

Let me translate for him because he does not understand or want to understand the motivations of the lobbyist when they talk about stifling innovation. My Words “Regulation , in the form of FCC imposed net neutrality, will stifle the ability of the larger access providers and content providers from creating a walled off garden, thus stifling their pending monopoly on the Internet.  ” There are many things where I wish the Government would keep their hands out of , but the Internet is not one of them. I must side with the FCC and the President on this one.

Update Jan 31st

Another win for Net Neutrality, the Canadian Government outlaws the practice of zero rating, which is simply a back door for a provider to give free content over rivals.

NetEqualizer News: December 2014

December 2014


Enjoy another issue of NetEqualizer News! This month, we discuss our recent K-12 Schools award, introduce IPv6 shaping for NetEqualizer, and remind everyone of 2015 pricing changes. As always, feel free to pass this along to others who might be interested in NetEqualizer News.

A message from Art…
Art Reisman, CTO – APconnections

As we close out 2014, I smile as I think of what this year has taught me, both professionally and art_smallpersonally. Professionally, I now know that IPv6 really will be a reality in 2015, as you will read more about below. I have also learned that sometimes surprises are good – as we share with you that we received an unanticipated (but very welcome!) award from District Administration (a K-12 Schools publication) this month.

And personally, I learned that at my age I need to make sure to hydrate before a long run!

We love it when we hear back from you – so if you have a story you would like to share with us of how we have helped you, let us know. Email me directly at I would love to hear from you!

We Are Honored! NetEqualizer is a K-12 School Top 100 Product in 2014

We have always known that the NetEqualizer is great (you have too!), but it is wonderful when it is validated by an independent publication. Recently we learned that we were honored in the December 2014 edition of District Administration, a publication geared to K-12 School leadership.

NetEqualizer made the 2014 list of Top 100 Products for K-12 Schools! DA_top100_2014v2

The December 2014 Cover Story is the annual Top 100 Products, viewable in the District Administration online edition. According to the article, there were 2,400 unique nominations for the Top 100 this year, up from 1,800 in 2013. Winners were selected by the editorial board based on quality and quantity of the testimonials submitted from readers.

So, a big THANK YOU to the readers that submitted us for inclusion in the Top 100! We would not have received this honor without you. We truly appreciate you taking the time to say nice things about us, especially as we rely heavily on word of mouth to get our story out to our customers. If you would like to see our listing, we are on the bottom of page 52.

As we have not advertised in this publication in the past, and did not solicit inclusion for this award in any way, this took us completely (and happily) by surprise.

As Lauren Williams of District Administration mentions in her introduction to the winners, “This annual award alerts superintendents and other senior school leaders to the best products their colleagues around the country are using to help their districts excel.”

If you have not seen the winners, take a look, you might find a product that is a good fit for your K-12 School.

2015 Pricing Coming Soon

As we close out 2014, just a reminder that we are still writing quotes using our 2014 pricing, and the quotes are good for 90 days. If you are thinking of trading-in your current NetEqualizer, upgrading your license level, or getting another NetEqualizer, now is a good time to get a quote from us.

We will be using 2014 pricing through January, and all current quotes using the pricing will be honored for 90 days from the date the quote was originally given.

Look for a preview of our 2015 Pricing in our January Newsletter. Our 2015 Pricing will be effective February 1st, 2015.

Ready or Not, Here Comes IPv6!

Just this past month, we have seen several customers begin to see 10% or more IPV6 traffic on their networks when they turned on their IPv4/IPv6 dual stack.

As you may know, today IPv6 traffic is viewable under the Management & Reporting menus. To see any IPv6 traffic that you have on your network, select View Current Activity -> View Active Connections -> Active IPv6 Connections.

However, as IPv6 has historically been a small percentage of overall network traffic, we have not focused our engineering resources to-date on adding IPv6 shaping.

That is about to change! To address the increase in IPv6 traffic, we plan on putting out a winter release with a dual stack of our own. Our goal is to have code ready for an initial beta test in early February.

Our engineering team has come up with a cool way to handle dual address schemes. The NetEqualizer dual stack will map IPv6 addresses into unused IPv4 addresses – so that you will be able to track, shape, and equalize IPv6 on a standard NetEqualizer.

If you are interested in hearing more, please contact us:

Best Of The Blog

Case Study: A Simple Solution to Relieve Congestion on Your MPLS Network

By Art Reisman – CTO – APconnections

We recently installed a NetEqualizer for a national healthcare company connecting hundreds of hospitals and clinics to a central location. We were able to solve all their congestion issues on their MPLS network, while saving them tens of thousands of dollars over other solutions. The centralized NetEqualizer solution is so elegant and simple that large IT departments, who are often wined and dined by vendors with expensive WAN optimization solutions, have hard time believing that we can solve their WAN issues at a fraction of the cost. In the coming weeks, we will release a detailed case study featuring this customer.

For now, here is the original blog article that explains our spoke and hub technology…

The problem:
A customer has a hub and spoke MPLS network where remote sites get their public Internet and corporate data by coming in on a spoke to a central site. Although the network at the host site has plenty of bandwidth, the spokes have a fixed allocation over the MPLS and are experiencing contention issues (e.g. slow response times to corporate sales data, etc.)…

Photo Of The Month
Landon Donovan
Landon Donovan is widely considered to be the best soccer player to ever come out of the United States. He has played for multiple national and international clubs. On August 7, 2014, Donovan announced that he would be retiring at the end of the 2014 Major League Soccer season; the season ended with the Galaxy winning their fourth MLS Cup of the Donovan era on Sunday December 7, 2014. This photo was taken by one of our staff members at a game last summer.

Get every new post delivered to your Inbox.

Join 58 other followers

%d bloggers like this: